WO2004036362A2 - Compression de contenu securise - Google Patents

Compression de contenu securise

Info

Publication number
WO2004036362A2
WO2004036362A2 PCT/US2003/032598 US0332598W WO2004036362A2 WO 2004036362 A2 WO2004036362 A2 WO 2004036362A2 US 0332598 W US0332598 W US 0332598W WO 2004036362 A2 WO2004036362 A2 WO 2004036362A2
Authority
WO
WIPO (PCT)
Prior art keywords
compression
recited
encrypted information
request
compressed
Prior art date
Application number
PCT/US2003/032598
Other languages
English (en)
Other versions
WO2004036362A3 (fr
Inventor
Brian Metzger
Venkitachalam Gopalakrishnan
Alan Frindell
Thomas Fountain
Sanjay Beri
Original Assignee
Ingrian Networks, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ingrian Networks, Inc. filed Critical Ingrian Networks, Inc.
Priority to AU2003279970A priority Critical patent/AU2003279970A1/en
Publication of WO2004036362A2 publication Critical patent/WO2004036362A2/fr
Publication of WO2004036362A3 publication Critical patent/WO2004036362A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N19/00Methods or arrangements for coding, decoding, compressing or decompressing digital video signals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/30Compression, e.g. Merkle-Damgard construction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Definitions

  • This invention relates to secure content and, more specifically, to compression of secure content.
  • compression products and related functionality do not allow for content to be secured (encrypted) during the entire time that the content is transported through the network. This is because most compression products are unable to interpret the encrypted content. In order to determine if the content can be compressed, the compression product needs to interpret the encrypted content. Most compression products are able to interpret content only when the content is unencrypted, i.e., not secure.
  • FIG. 1 is a block diagram that illustrates a high-level network diagram showing aspects of a computerized environment in which the compression of secure content can be performed, according to certain embodiments.
  • FIG. 2 is a block diagram that illustrates some of the components typically incorporated in at least some of the computer systems and other devices on which the facility executes.
  • FIG. 3 is a flow chart that illustrates some of steps that the facility performs, according to certain embodiments.
  • FIG. 4 is a block diagram of a CSE graphical user interface (GUI), according to certain embodiments of the invention.
  • GUI graphical user interface
  • a facility for dynamically compressing secure information, i.e., encrypted information or content, before the secure information is transported to the client that is requesting the encrypted information is described.
  • secure information i.e., encrypted information or content
  • a software implementation of the facility is described.
  • the facility may be a software implementation, or a hardware implementation, or a combination thereof and may vary from implementation to implementation.
  • the current embodiments are not restricted to any particular implementation.
  • the facility includes a proxy server, a cryptographic engine, and a compression service engine.
  • the compression service engine in collaboration with the cryptographic engine, is configurable to interpret a request for encrypted information as well as the response to the request. The purpose of such an interpretation includes determining whether: 1) the client that sent the request is capable of accepting compressed encrypted information, and 2) the type and level of compression to apply to the encrypted information, if the client is capable of accepting compressed encrypted information. If a copy of the encrypted information is already stored in a proxy cache, then the encrypted information is retrieved from the proxy cache for serving to the client, rather than requesting the encrypted information from a back-end server.
  • T 1(3 ' . ' I ' ' a h' ⁇ gh ' -leveTbTock diagram that illustrates aspects of a computerized environment 100 in which the compression of secure content can be performed, according to certain embodiments.
  • FIG. 1 shows a plurality of clients 102a-102n, a network 104, a proxy server 106 and a back-end server 108. There may be more than one back-end server.
  • compression of secure content is performed with the aid of one or more other computer systems, such as proxy server 106.
  • Components of the facility may reside on and/or execute on any combination of these computer systems, and intermediate results from the compression may similarly reside on any combination of these computer systems.
  • the facility includes a proxy server, an encryption/decryption service engine (cryptographic engine) and a compression service engine (CSE).
  • the facility may be embodied in a single device or distributed among various devices. For embodiments that include hardware implementations, suitable hardware interfaces are used for the CSE.
  • the computer systems 100 shown in FIG. 1 are connected via network 104, which may use a variety of different networking technologies, including wired, guided or line-of-sight optical, and radio frequency networking.
  • the network includes the public switched telephone network.
  • Network connections established via the network may be fully-persistent, session-based, or intermittent, such as packet-based. While the facility typically operates in an environment such as is shown in FIG. 1 and described above, those skilled in the art will appreciate the facility may also operate in a wide variety of other environments.
  • communication between any of clients 102a-102n and back-end server 108 is through secure communication links using a secure protocol.
  • FIG. 2 is a block diagram showing some of the components typically incorporated in at least some of the computer systems and other devices on which the facility executes, including some or all of the server and client computer systems shown in FIG. 1.
  • These computer systems and devices 200 may include one or more central processing units ("CPUs") 201 for executing computer programs; a computer memory 202 for storing programs and data - including data structures -- while they are being used; a persistent storage device 203, such as a hard drive, for persistently storing programs and data; a computer-readable media drive 204, such as a CD-ROM drive, for reading programs and data stored on a computer-readable medium; and a network connection 205 for connecting the computer system to other computer systems, such as via the Internet, to exchange programs and/or data - including data structures. While computer systems configured as described above are typically used to support the operation of the facility, those skilled in the art will appreciate that the facility may be implemented using devices of various types and configurations, and having various components.
  • Clients and servers exchange sensitive data (secure content) by encrypting the data before transmission through the network.
  • bandwidth and latency constraints are of concern.
  • bandwidth is expressed as the number of bits of data per sec (bps). If the bandwidth is not wide enough to support the amount of data that is being relayed at the speed the data is being processed, then a bottleneck occurs. Bottlenecks have adverse effects on latency because bottlenecks increase the amount of time it takes for a data packet to travel from the packet's source to the packet's destination.
  • FIG. 3 is a flow chart that illustrates some of steps of a procedure 300 that the facility performs, according to certain embodiments.
  • the request is first decrypted, if the request is encrypted.
  • the requesting can accept compressed data if the request contains an "Accept-Encoding: gzip" header, for example.
  • a proxy server that can employ an encryption/decryption service engine to decrypt both the request and the response is used.
  • procedure 300 arrives at block 304 where the requested data is retrieved and sent to the requesting client in uncompressed form. Some older versions of client browsers are unable to accept compressed data.
  • procedure 300 arrives at block 306 where it is determined whether the requested data is stored in the cache. If the requested data is not already in the cache, then at block 308, the proxy server makes a request for the data from the back-end server. If the requested data is already stored in the cache, then at block 310, the proxy server retrieves the requested data from the cache.
  • the requested data is decrypted and examined to determine the desired type and level of compression.
  • the desired type of compression may either be a gzip compression or a GIF compression, for example.
  • the level of compression is the percentage by which images can be compressed.
  • the CSE With gzip compression enabled, the CSE will compress the response if: 1) the request contains an Accept-Encoding: gzip header, and 2) the response does ' NOT contain a Content-Encoding header.
  • GIF compression enabled the CSE will scale down GIF images according to a user specified level of compression or quality factor. Each image can be decoded, and a reduction algorithm can be applied. Next, the image can be re-encoded.
  • the type of image reduction algorithm may vary form implementation to implementation.
  • the proxy server will simply serve the desired compressed data object to the requesting client. If the desired compressed data object is not in the cache, then at block 318 the CSE is called upon to apply the appropriate compression technique to compress the requested data at the desired level of compression. It is further assumed that the proxy server and associated CSE can interface with third party libraries to perform the actual content compression and image reduction. Such libraries may or not be free, require license fees, etc. The performance of the proxy server and associated CSE is related to the performance of such libraries.
  • the CSE can leverage third party libraries to perform the actual compression.
  • gzip compression can be performed by zlib, and the GIF compression by giflib.
  • Gif Compression a modified version of GIFSICLE in a library form can be used.
  • a secure tunnel is maintained for the transport of the compressed data object to the requesting client.
  • the compression of the requested secure content results in improved response time and in a decreased amount of bandwidth that is needed to transport the compressed secure content.
  • Compression is a processor intensive activity.
  • a user configurable compression level will control the size of the compressed data object versus the performance impact.
  • the proxy server may make an intelligent choice not to compress the data if the processor is heavily loaded at the time of satisfying the request. If the requested data is suitable for caching, the proxy server will cause a copy of the requested data to be compressed at a later time when the processor is less busy. The resulting compressed data object is then stored in the cache for purposes of satisfying future requests for such secure content.
  • the cache is capable of distinguishing data objects by Content Encoding. This will prevent gzipped objects from being served to clients that did not send an "Accept-Encoding: gzip" header.
  • the quality factor will be part of the cache lookup for a GIF to prevent other forwarding rules from accessing compressed (ie: reduced quality) GIF images.
  • a particular forwarding rule may be such that it allows reduced quality images to be sent as a response if it is known that the client browser, such as a PDA browser for example, has little ability to appreciate high quality images.
  • the first client to request a compressed image may receive the original image. This will start the reduction process in the background, eventually placing the compressed image in the cache for future use.
  • clients accept plain encoded objects.
  • a given client may be served a plain encoded object even though such a client can accept compressed content.
  • An older browser makes a request for 7index.html" and does not send an "Accept-Encoding: gzip" header.
  • the plain object is stored in the cache.
  • a modern browser requests the same object but does send the Accept-Encoding: gzip header. Since the modern browser implicitly accepts plain encodings, the plain copy from the cache is served to the modern browser, rather than compressing the requested object and sending the compressed object to the modern browser.
  • the module informs the cache that the CSE is attached and the above scenario is treated as a cache miss.
  • a cache setting is added wherein the cache setting allows the administrator to specify that the backend server is performing the compression, so that plain encoding hits can be treated as missed on those forwarding rules as well.
  • the compression service engine can be configured to selectively compress secure content. As previously explained, some clients may not accept compressed content while other clients may accept compressed content.
  • the compression service engine can be configured to select for compression, only the secure content that is destined for clients that will accept compressed content. Furthermore, different compression algorithms may be selected based on the characteristics of the content being served.
  • the proxy server and the associated compression service engine can be configured by administrators who have knowledge of: 1) the type of content served through such a proxy server, and 2) the web server environment.
  • the compression service engine is configurable using a plurality of profiles. Each profile defines a different configuration. Profiles are described in greater detail herein with reference to FiG. 4.
  • the proxy server uses a set a forwarding rules to determine how incoming requests from client browsers are to be treated.
  • Service engine filters are filters that allow a user to specify conditions that need to be satisfied for a CSE to process a request or response.
  • a CSE and a filter are attached to each forwarding rule.
  • an administrator wishes to enable or disable the CSE based on the content type or User-Agent headers (or any other HTTP headers)
  • the administrator can create an appropriate service engine filter. For example, if a particular user agent has a bug which causes it to send an "Accept-Encoding: gzip" header when it does not in fact support gzip, a service engine filter can be used to disable the module for this agent.
  • the same method can be used to restrict compression to objects that have Content- Type: text/*, etc. The following steps may be followed: Create a new profile with the desired compression levels. Create a response filter to control what content will be compressed. Attach the profile and filter to the forwarding rule.
  • FIG. 4 is a block diagram of a CSE graphical user interface (GUI), according to certain embodiments of the invention.
  • CSE user interface 400 comprises a profile list 402.
  • Profile list 402 contains a list of existing profiles (compression profiles) as indicated by profile name 404.
  • CSE GUI 400 also comprises a "create profile" section such as create profile 408.
  • Each profile will have a properties page where the attributes of the profile can be viewed or modified. The properties page can be accessed by selecting the properties button 406.
  • Each profile of the CSE may include the following configurable attributes: Profile Name 410 - name by which this profile is referred to by forwarding rules. Log Level 412 - how much information should be logged. Enable gzip Compression 414 - true if this profile performs gzip compression, gzip Compression Level 416 - integer level of speed versus size. 1 fastest largest - 9 slowest/smallest.
  • GIF Compression 418 true if this profile performs GIF compression.
  • GIF Compression Level 420 user defined quality factor. The user will be able to set a specific number of colors to reduce to or a percentage to reduce colors by. Also, the user will be able to select from different compression algorithms, and will be able to select different algorithms for color and grayscale images.
  • a check box per-forwarding rule, for example
  • the proxy may need to be restarted. If image compression is performed in a separate process, such a process may also need to be restarted.

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)
  • Compression, Expansion, Code Conversion, And Decoders (AREA)
  • Computer And Data Communications (AREA)

Abstract

Selon l'invention, la réponse codée à une requête est d'abord décodée afin de déterminer le type et le taux de compression pouvant être appliqués à la réponse. La réponse est ensuite compressée et codée afin de satisfaire à la requête.
PCT/US2003/032598 2002-10-15 2003-10-15 Compression de contenu securise WO2004036362A2 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003279970A AU2003279970A1 (en) 2002-10-15 2003-10-15 Compression of secure content

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US41884402P 2002-10-15 2002-10-15
US60/418,844 2002-10-15

Publications (2)

Publication Number Publication Date
WO2004036362A2 true WO2004036362A2 (fr) 2004-04-29
WO2004036362A3 WO2004036362A3 (fr) 2004-08-26

Family

ID=32107982

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/032598 WO2004036362A2 (fr) 2002-10-15 2003-10-15 Compression de contenu securise

Country Status (2)

Country Link
AU (1) AU2003279970A1 (fr)
WO (1) WO2004036362A2 (fr)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2091175A1 (fr) * 2008-02-18 2009-08-19 Kabushiki Kaisha Toshiba Appareil, système et procédé de traitement de décryptage, et produit de programme informatique
US20140040353A1 (en) * 2009-01-13 2014-02-06 Viasat, Inc. Return-link optimization for file-sharing traffic
US9935740B2 (en) 2011-06-14 2018-04-03 Viasat, Inc. Transport protocol for anticipatory content
US10044637B2 (en) 2012-06-15 2018-08-07 Viasat, Inc. Opportunistic delivery of cacheable content in a communications network
US10187436B2 (en) 2009-01-13 2019-01-22 Viasat, Inc. Content set based deltacasting
US10270842B2 (en) 2011-10-25 2019-04-23 Viasat, Inc. Opportunistic content delivery using delta coding

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4386416A (en) * 1980-06-02 1983-05-31 Mostek Corporation Data compression, encryption, and in-line transmission system
US6021198A (en) * 1996-12-23 2000-02-01 Schlumberger Technology Corporation Apparatus, system and method for secure, recoverable, adaptably compressed file transfer
US6154542A (en) * 1997-12-17 2000-11-28 Apple Computer, Inc. Method and apparatus for simultaneously encrypting and compressing data
WO2002101605A2 (fr) * 2001-06-12 2002-12-19 Research In Motion Limited Systeme et procede de compression d'un message electronique securise en vue d'un echange avec un dispositif mobile de transmission de donnees

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4386416A (en) * 1980-06-02 1983-05-31 Mostek Corporation Data compression, encryption, and in-line transmission system
US6021198A (en) * 1996-12-23 2000-02-01 Schlumberger Technology Corporation Apparatus, system and method for secure, recoverable, adaptably compressed file transfer
US6154542A (en) * 1997-12-17 2000-11-28 Apple Computer, Inc. Method and apparatus for simultaneously encrypting and compressing data
WO2002101605A2 (fr) * 2001-06-12 2002-12-19 Research In Motion Limited Systeme et procede de compression d'un message electronique securise en vue d'un echange avec un dispositif mobile de transmission de donnees

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2091175A1 (fr) * 2008-02-18 2009-08-19 Kabushiki Kaisha Toshiba Appareil, système et procédé de traitement de décryptage, et produit de programme informatique
US11252210B2 (en) 2009-01-13 2022-02-15 Viasat, Inc. Content set based deltacasting
US20140040353A1 (en) * 2009-01-13 2014-02-06 Viasat, Inc. Return-link optimization for file-sharing traffic
US10951671B2 (en) 2009-01-13 2021-03-16 Viasat, Inc. Content set based deltacasting
US10187436B2 (en) 2009-01-13 2019-01-22 Viasat, Inc. Content set based deltacasting
US11916990B2 (en) 2009-01-13 2024-02-27 Viasat, Inc. Content set based deltacasting
US10536495B2 (en) 2009-01-13 2020-01-14 Viasat, Inc. Content set based deltacasting
US10547655B2 (en) 2009-01-13 2020-01-28 Viasat, Inc. Deltacasting
US11139919B2 (en) 2011-06-14 2021-10-05 Viasat, Inc. Transport protocol for anticipatory content
US11777654B2 (en) 2011-06-14 2023-10-03 Viasat, Inc. Transport protocol for anticipatory content
US9935740B2 (en) 2011-06-14 2018-04-03 Viasat, Inc. Transport protocol for anticipatory content
US10270842B2 (en) 2011-10-25 2019-04-23 Viasat, Inc. Opportunistic content delivery using delta coding
US11290525B2 (en) 2011-10-25 2022-03-29 Viasat, Inc. Opportunistic content delivery using delta coding
US11575738B2 (en) 2011-10-25 2023-02-07 Viasat, Inc. Opportunistic content delivery using delta coding
US10594624B2 (en) 2012-06-15 2020-03-17 Viasat, Inc. Opportunistic delivery of cacheable content in a communications network
US11743207B2 (en) 2012-06-15 2023-08-29 Viasat, Inc. Opportunistic delivery of cacheable content in a communications network
US10044637B2 (en) 2012-06-15 2018-08-07 Viasat, Inc. Opportunistic delivery of cacheable content in a communications network
US11070490B2 (en) 2012-06-15 2021-07-20 Viasat, Inc. Opportunistic delivery of cacheable content in a communications network

Also Published As

Publication number Publication date
AU2003279970A1 (en) 2004-05-04
WO2004036362A3 (fr) 2004-08-26
AU2003279970A8 (en) 2004-05-04

Similar Documents

Publication Publication Date Title
US10666522B2 (en) Server side content delivery network quality of service
US6088803A (en) System for virus-checking network data during download to a client device
US8024484B2 (en) Caching signatures
US6986018B2 (en) Method and apparatus for selecting cache and proxy policy
US11038942B2 (en) Optimizing adaptive bit rate streaming at edge locations
EP2263208B1 (fr) Distribution de contenu dans un réseau
EP1774439B1 (fr) Procede et dispositif destines a realiser une mise en antememoire integree dans un reseau de communication
US7636363B2 (en) Adaptive QoS system and method
CN101662503B (zh) 网络中的信息传输方法、代理服务器和服务***
US20020178330A1 (en) Systems and methods for applying a quality metric to caching and streaming of multimedia files over a network
US11064230B2 (en) Optimizing adaptive bit rate streaming for content delivery
US20020046262A1 (en) Data access system and method with proxy and remote processing
US20130103791A1 (en) Optimizing content delivery over a protocol that enables request multiplexing and flow control
US20040111492A1 (en) Access relaying apparatus
US20070038637A1 (en) Optimized network cache for virus scanning by examining the magic bytes of a file
WO2006074064A2 (fr) Procede et dispositif pour la gestion de taille d'objet de donnees dans un environnement a utilisateurs multiples
US9665646B1 (en) Method and system for providing bit rate adaptaion to video files having metadata
US20020147827A1 (en) Method, system and computer program product for streaming of data
WO2004036362A2 (fr) Compression de contenu securise
Pathak et al. {ModNet}: A Modular Approach to Network Stack Extension
US10893303B1 (en) Streaming chunked media segments
US11368505B2 (en) Dynamic variant list modification to achieve bitrate reduction
CN116827619A (zh) 防止http放大攻击的方法、设备以及计算机可读介质
Proxy Zdenek Siblık Compressing Proxy

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP